openvpn endpoint hangs

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
iow-sre
OpenVpn Newbie
Posts: 2
Joined: Thu May 19, 2022 8:58 am

openvpn endpoint hangs

Post by iow-sre » Thu May 19, 2022 12:27 pm

Hi all!
We've encountered strange OpenVPN service behaviour in our config when OpenVPN server traffic is routed through the tunnel on top of the BGP channel.
The goal is to send traffic from OpenVPN servers to wg14 of vyos-router-1.

This is our network scheme https://ibb.co/vYxp3QQ
Few comments on that:
  • wg14 is a wireguard site-to-site tunnel on top of ISP#1 BGP connection with AWS(AWS Direct connect). This connection is not going through the public internet and works by itself, stable and without packet loss, etc.
  • When we route all traffic through any other tunnel(e.g. wg12, wg13), we can establish an OpenVPN connection to any of the 4 OpenVPN endpoints, all working fine.
  • When routing traffic to a wg14 connection, we can establish an OpenVPN connection to any of the 4 OpenVPN endpoints. Still, this connection lasts randomly from 10 mins to 1 hour, not depending on traffic usage and in the end, the endpoint freezes and stops responding to any request until the restart of the service.
.

What we did already:
  • Checked BGP connection stability. All seems OK
  • Checked router setup with VyOS support, DNAT, load-balancing, etc. is working fine
  • There is nothing suspicious in the OpenVPN logs before the issue starts and no logs after. Even with an increased level of verbosity.
Here are configs for one of the endpoints. The deployment was made on Ubuntu 18.04, OpenVPN 2.4.4 x86_64-pc-linux-gnu, with puppet, and all endpoint settings are equal except port, dev name, and server directives.

Server
mode server
client-config-dir /etc/openvpn/1194/client-configs
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn-msk.crt
key /etc/openvpn/keys/vpn-msk.key
dh /etc/openvpn/keys/dh2048.pem
proto udp
port 1194
comp-lzo
group nogroup
user nobody
log-append /var/log/openvpn.log
status /var/log/openvpn/1194-status.log
dev tun0
local 10.10.1.31
server 10.1.6.0 255.255.255.0
push "route 10.10.1.0 255.255.255.0"
push "route 10.10.4.0 255.255.252.0"
push "route 10.10.8.0 255.255.252.0"
push "route 10.10.12.0 255.255.255.0"
push "dhcp-option DNS 10.10.1.13"
push "dhcp-option DOMAIN mydomain.lan"
keepalive 10 600
topology net30
verb 3
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
persist-key
persist-tun
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/1194/auth/ldap.conf"
client-cert-not-required
duplicate-cn

# Additional custom options
tun-mtu 1500
tun-mtu-extra 32
reneg-sec 36000
verify-client-cert none


User

client
dev tun
proto udp
remote ISP1_VRRP_IP 2294
remote ISP1_VRRP_IP 2295
remote ISP2_VRRP_IP 2294
remote ISP2_VRRP_IP 2295
remote-random
resolv-retry 10
reneg-sec 0
setenv CLIENT_CERT 0
auth-nocache
auth-user-pass
cipher AES-256-CBC
comp-lzo
float
ifconfig-nowarn
nobind
persist-key
persist-tun
ping 10
redirect-gateway autolocal
tun-mtu 1500
tun-mtu-extra 32
verb 1
<ca>
%CA CONTENTS%
</ca>


Any assistance will be much appreciated.
Thanks
Last edited by iow-sre on Thu May 19, 2022 6:07 pm, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: openvpn endpoint hangs

Post by TinCanTech » Thu May 19, 2022 2:46 pm

Please post your client log at --verb 4

iow-sre
OpenVpn Newbie
Posts: 2
Joined: Thu May 19, 2022 8:58 am

Re: openvpn endpoint hangs

Post by iow-sre » Thu May 19, 2022 6:02 pm

Hello TinCanTech!

Unfortunately, when the freeze happens client have no logs even with "--verb 4" setting.
client

$ sudo openvpn --config config.ovpn
2022-05-19 19:30:29 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-05-19 19:30:29 us=11808 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-05-19 19:30:29 us=11911 Current Parameter Settings:
2022-05-19 19:30:29 us=11916 config = 'config.ovpn'
2022-05-19 19:30:29 us=11919 mode = 0
2022-05-19 19:30:29 us=11923 persist_config = DISABLED
2022-05-19 19:30:29 us=11926 persist_mode = 1
2022-05-19 19:30:29 us=11929 show_ciphers = DISABLED
2022-05-19 19:30:29 us=11932 show_digests = DISABLED
2022-05-19 19:30:29 us=11934 show_engines = DISABLED
2022-05-19 19:30:29 us=11937 genkey = DISABLED
2022-05-19 19:30:29 us=11940 genkey_filename = '[UNDEF]'
2022-05-19 19:30:29 us=11942 key_pass_file = '[UNDEF]'
2022-05-19 19:30:29 us=11947 show_tls_ciphers = DISABLED
2022-05-19 19:30:29 us=11950 connect_retry_max = 0
2022-05-19 19:30:29 us=11952 Connection profiles [0]:
2022-05-19 19:30:29 us=11956 proto = udp
2022-05-19 19:30:29 us=11959 local = '[UNDEF]'
2022-05-19 19:30:29 us=11962 local_port = '[UNDEF]'
2022-05-19 19:30:29 us=11964 remote = 'remote_address_1'
2022-05-19 19:30:29 us=11967 remote_port = '2294'
2022-05-19 19:30:29 us=11970 remote_float = ENABLED
2022-05-19 19:30:29 us=11973 bind_defined = DISABLED
2022-05-19 19:30:29 us=11976 bind_local = DISABLED
2022-05-19 19:30:29 us=11979 bind_ipv6_only = DISABLED
2022-05-19 19:30:29 us=11981 connect_retry_seconds = 5
2022-05-19 19:30:29 us=11985 connect_timeout = 120
2022-05-19 19:30:29 us=11987 socks_proxy_server = '[UNDEF]'
2022-05-19 19:30:29 us=11990 socks_proxy_port = '[UNDEF]'
2022-05-19 19:30:29 us=11994 tun_mtu = 1500
2022-05-19 19:30:29 us=11997 tun_mtu_defined = ENABLED
2022-05-19 19:30:29 us=12000 link_mtu = 1500
2022-05-19 19:30:29 us=12002 link_mtu_defined = DISABLED
2022-05-19 19:30:29 us=12006 tun_mtu_extra = 32
2022-05-19 19:30:29 us=12009 tun_mtu_extra_defined = ENABLED
2022-05-19 19:30:29 us=12012 mtu_discover_type = -1
2022-05-19 19:30:29 us=12015 fragment = 0
2022-05-19 19:30:29 us=12018 mssfix = 1450
2022-05-19 19:30:29 us=12021 explicit_exit_notification = 0
2022-05-19 19:30:29 us=12024 tls_auth_file = '[UNDEF]'
2022-05-19 19:30:29 us=12027 key_direction = not set
2022-05-19 19:30:29 us=12030 tls_crypt_file = '[UNDEF]'
2022-05-19 19:30:29 us=12033 tls_crypt_v2_file = '[UNDEF]'
2022-05-19 19:30:29 us=12035 Connection profiles [1]:
2022-05-19 19:30:29 us=12038 proto = udp
2022-05-19 19:30:29 us=12042 local = '[UNDEF]'
2022-05-19 19:30:29 us=12044 local_port = '[UNDEF]'
2022-05-19 19:30:29 us=12047 remote = 'remote_address_1'
2022-05-19 19:30:29 us=12050 remote_port = '2295'
2022-05-19 19:30:29 us=12053 remote_float = ENABLED
2022-05-19 19:30:29 us=12056 bind_defined = DISABLED
2022-05-19 19:30:29 us=12059 bind_local = DISABLED
2022-05-19 19:30:29 us=12062 bind_ipv6_only = DISABLED
2022-05-19 19:30:29 us=12065 connect_retry_seconds = 5
2022-05-19 19:30:29 us=12068 connect_timeout = 120
2022-05-19 19:30:29 us=12070 socks_proxy_server = '[UNDEF]'
2022-05-19 19:30:29 us=12073 socks_proxy_port = '[UNDEF]'
2022-05-19 19:30:29 us=12076 tun_mtu = 1500
2022-05-19 19:30:29 us=12079 tun_mtu_defined = ENABLED
2022-05-19 19:30:29 us=12082 link_mtu = 1500
2022-05-19 19:30:29 us=12085 link_mtu_defined = DISABLED
2022-05-19 19:30:29 us=12088 tun_mtu_extra = 32
2022-05-19 19:30:29 us=12090 tun_mtu_extra_defined = ENABLED
2022-05-19 19:30:29 us=12093 mtu_discover_type = -1
2022-05-19 19:30:29 us=12096 fragment = 0
2022-05-19 19:30:29 us=12099 mssfix = 1450
2022-05-19 19:30:29 us=12102 explicit_exit_notification = 0
2022-05-19 19:30:29 us=12105 tls_auth_file = '[UNDEF]'
2022-05-19 19:30:29 us=12108 key_direction = not set
2022-05-19 19:30:29 us=12111 tls_crypt_file = '[UNDEF]'
2022-05-19 19:30:29 us=12113 tls_crypt_v2_file = '[UNDEF]'
2022-05-19 19:30:29 us=12116 Connection profiles [2]:
2022-05-19 19:30:29 us=12119 proto = udp
2022-05-19 19:30:29 us=12122 local = '[UNDEF]'
2022-05-19 19:30:29 us=12125 local_port = '[UNDEF]'
2022-05-19 19:30:29 us=12128 remote = 'remote_address_2'
2022-05-19 19:30:29 us=12131 remote_port = '2294'
2022-05-19 19:30:29 us=12134 remote_float = ENABLED
2022-05-19 19:30:29 us=12137 bind_defined = DISABLED
2022-05-19 19:30:29 us=12140 bind_local = DISABLED
2022-05-19 19:30:29 us=12143 bind_ipv6_only = DISABLED
2022-05-19 19:30:29 us=12146 connect_retry_seconds = 5
2022-05-19 19:30:29 us=12149 connect_timeout = 120
2022-05-19 19:30:29 us=12151 socks_proxy_server = '[UNDEF]'
2022-05-19 19:30:29 us=12154 socks_proxy_port = '[UNDEF]'
2022-05-19 19:30:29 us=12157 tun_mtu = 1500
2022-05-19 19:30:29 us=12160 tun_mtu_defined = ENABLED
2022-05-19 19:30:29 us=12163 link_mtu = 1500
2022-05-19 19:30:29 us=12166 link_mtu_defined = DISABLED
2022-05-19 19:30:29 us=12169 tun_mtu_extra = 32
2022-05-19 19:30:29 us=12172 tun_mtu_extra_defined = ENABLED
2022-05-19 19:30:29 us=12175 mtu_discover_type = -1
2022-05-19 19:30:29 us=12178 fragment = 0
2022-05-19 19:30:29 us=12180 mssfix = 1450
2022-05-19 19:30:29 us=12184 explicit_exit_notification = 0
2022-05-19 19:30:29 us=12187 tls_auth_file = '[UNDEF]'
2022-05-19 19:30:29 us=12189 key_direction = not set
2022-05-19 19:30:29 us=12192 tls_crypt_file = '[UNDEF]'
2022-05-19 19:30:29 us=12195 tls_crypt_v2_file = '[UNDEF]'
2022-05-19 19:30:29 us=12198 Connection profiles [3]:
2022-05-19 19:30:29 us=12201 proto = udp
2022-05-19 19:30:29 us=12204 local = '[UNDEF]'
2022-05-19 19:30:29 us=12207 local_port = '[UNDEF]'
2022-05-19 19:30:29 us=12210 remote = 'remote_address_2'
2022-05-19 19:30:29 us=12213 remote_port = '2295'
2022-05-19 19:30:29 us=12216 remote_float = ENABLED
2022-05-19 19:30:29 us=12219 bind_defined = DISABLED
2022-05-19 19:30:29 us=12222 bind_local = DISABLED
2022-05-19 19:30:29 us=12225 bind_ipv6_only = DISABLED
2022-05-19 19:30:29 us=12228 connect_retry_seconds = 5
2022-05-19 19:30:29 us=12231 connect_timeout = 120
2022-05-19 19:30:29 us=12233 socks_proxy_server = '[UNDEF]'
2022-05-19 19:30:29 us=12236 socks_proxy_port = '[UNDEF]'
2022-05-19 19:30:29 us=12240 tun_mtu = 1500
2022-05-19 19:30:29 us=12243 tun_mtu_defined = ENABLED
2022-05-19 19:30:29 us=12246 link_mtu = 1500
2022-05-19 19:30:29 us=12248 link_mtu_defined = DISABLED
2022-05-19 19:30:29 us=12251 tun_mtu_extra = 32
2022-05-19 19:30:29 us=12254 tun_mtu_extra_defined = ENABLED
2022-05-19 19:30:29 us=12257 mtu_discover_type = -1
2022-05-19 19:30:29 us=12260 fragment = 0
2022-05-19 19:30:29 us=12263 mssfix = 1450
2022-05-19 19:30:29 us=12266 explicit_exit_notification = 0
2022-05-19 19:30:29 us=12269 tls_auth_file = '[UNDEF]'
2022-05-19 19:30:29 us=12272 key_direction = not set
2022-05-19 19:30:29 us=12275 tls_crypt_file = '[UNDEF]'
2022-05-19 19:30:29 us=12278 tls_crypt_v2_file = '[UNDEF]'
2022-05-19 19:30:29 us=12281 Connection profiles END
2022-05-19 19:30:29 us=12284 remote_random = ENABLED
2022-05-19 19:30:29 us=12287 ipchange = '[UNDEF]'
2022-05-19 19:30:29 us=12296 dev = 'tun'
2022-05-19 19:30:29 us=12299 dev_type = '[UNDEF]'
2022-05-19 19:30:29 us=12302 dev_node = '[UNDEF]'
2022-05-19 19:30:29 us=12308 lladdr = '[UNDEF]'
2022-05-19 19:30:29 us=12311 topology = 1
2022-05-19 19:30:29 us=12314 ifconfig_local = '[UNDEF]'
2022-05-19 19:30:29 us=12317 ifconfig_remote_netmask = '[UNDEF]'
2022-05-19 19:30:29 us=12319 ifconfig_noexec = DISABLED
2022-05-19 19:30:29 us=12322 ifconfig_nowarn = ENABLED
2022-05-19 19:30:29 us=12325 ifconfig_ipv6_local = '[UNDEF]'
2022-05-19 19:30:29 us=12328 ifconfig_ipv6_netbits = 0
2022-05-19 19:30:29 us=12331 ifconfig_ipv6_remote = '[UNDEF]'
2022-05-19 19:30:29 us=12334 shaper = 0
2022-05-19 19:30:29 us=12337 mtu_test = 0
2022-05-19 19:30:29 us=12341 mlock = DISABLED
2022-05-19 19:30:29 us=12343 keepalive_ping = 0
2022-05-19 19:30:29 us=12346 keepalive_timeout = 0
2022-05-19 19:30:29 us=12349 inactivity_timeout = 0
2022-05-19 19:30:29 us=12353 inactivity_minimum_bytes = 0
2022-05-19 19:30:29 us=12356 ping_send_timeout = 10
2022-05-19 19:30:29 us=12358 ping_rec_timeout = 0
2022-05-19 19:30:29 us=12361 ping_rec_timeout_action = 0
2022-05-19 19:30:29 us=12365 ping_timer_remote = DISABLED
2022-05-19 19:30:29 us=12368 remap_sigusr1 = 0
2022-05-19 19:30:29 us=12371 persist_tun = ENABLED
2022-05-19 19:30:29 us=12374 persist_local_ip = DISABLED
2022-05-19 19:30:29 us=12377 persist_remote_ip = DISABLED
2022-05-19 19:30:29 us=12380 persist_key = ENABLED
2022-05-19 19:30:29 us=12383 passtos = DISABLED
2022-05-19 19:30:29 us=12386 resolve_retry_seconds = 10
2022-05-19 19:30:29 us=12389 resolve_in_advance = DISABLED
2022-05-19 19:30:29 us=12392 username = '[UNDEF]'
2022-05-19 19:30:29 us=12395 groupname = '[UNDEF]'
2022-05-19 19:30:29 us=12398 chroot_dir = '[UNDEF]'
2022-05-19 19:30:29 us=12401 cd_dir = '[UNDEF]'
2022-05-19 19:30:29 us=12404 selinux_context = '[UNDEF]'
2022-05-19 19:30:29 us=12407 writepid = '[UNDEF]'
2022-05-19 19:30:29 us=12410 up_script = '/etc/openvpn/scripts/update-systemd-resolved'
2022-05-19 19:30:29 us=12413 down_script = '/etc/openvpn/scripts/update-systemd-resolved'
2022-05-19 19:30:29 us=12417 down_pre = DISABLED
2022-05-19 19:30:29 us=12419 up_restart = DISABLED
2022-05-19 19:30:29 us=12422 up_delay = DISABLED
2022-05-19 19:30:29 us=12425 daemon = DISABLED
2022-05-19 19:30:29 us=12429 inetd = 0
2022-05-19 19:30:29 us=12432 log = DISABLED
2022-05-19 19:30:29 us=12435 suppress_timestamps = DISABLED
2022-05-19 19:30:29 us=12438 machine_readable_output = DISABLED
2022-05-19 19:30:29 us=12441 nice = 0
2022-05-19 19:30:29 us=12445 verbosity = 4
2022-05-19 19:30:29 us=12448 mute = 0
2022-05-19 19:30:29 us=12451 gremlin = 0
2022-05-19 19:30:29 us=12454 status_file = '[UNDEF]'
2022-05-19 19:30:29 us=12457 status_file_version = 1
2022-05-19 19:30:29 us=12460 status_file_update_freq = 60
2022-05-19 19:30:29 us=12463 occ = ENABLED
2022-05-19 19:30:29 us=12466 rcvbuf = 0
2022-05-19 19:30:29 us=12469 sndbuf = 0
2022-05-19 19:30:29 us=12472 mark = 0
2022-05-19 19:30:29 us=12475 sockflags = 0
2022-05-19 19:30:29 us=12478 fast_io = DISABLED
2022-05-19 19:30:29 us=12481 comp.alg = 2
2022-05-19 19:30:29 us=12484 comp.flags = 1
2022-05-19 19:30:29 us=12487 route_script = '[UNDEF]'
2022-05-19 19:30:29 us=12490 route_default_gateway = '[UNDEF]'
2022-05-19 19:30:29 us=12493 route_default_metric = 0
2022-05-19 19:30:29 us=12496 route_noexec = DISABLED
2022-05-19 19:30:29 us=12499 route_delay = 0
2022-05-19 19:30:29 us=12501 route_delay_window = 30
2022-05-19 19:30:29 us=12505 route_delay_defined = DISABLED
2022-05-19 19:30:29 us=12508 route_nopull = DISABLED
2022-05-19 19:30:29 us=12511 route_gateway_via_dhcp = DISABLED
2022-05-19 19:30:29 us=12514 allow_pull_fqdn = DISABLED
2022-05-19 19:30:29 us=12517 [redirect_default_gateway local=0]
2022-05-19 19:30:29 us=12520 management_addr = '[UNDEF]'
2022-05-19 19:30:29 us=12523 management_port = '[UNDEF]'
2022-05-19 19:30:29 us=12526 management_user_pass = '[UNDEF]'
2022-05-19 19:30:29 us=12529 management_log_history_cache = 250
2022-05-19 19:30:29 us=12532 management_echo_buffer_size = 100
2022-05-19 19:30:29 us=12535 management_write_peer_info_file = '[UNDEF]'
2022-05-19 19:30:29 us=12538 management_client_user = '[UNDEF]'
2022-05-19 19:30:29 us=12541 management_client_group = '[UNDEF]'
2022-05-19 19:30:29 us=12544 management_flags = 0
2022-05-19 19:30:29 us=12546 shared_secret_file = '[UNDEF]'
2022-05-19 19:30:29 us=12550 key_direction = not set
2022-05-19 19:30:29 us=12552 ciphername = 'AES-256-CBC'
2022-05-19 19:30:29 us=12555 ncp_enabled = ENABLED
2022-05-19 19:30:29 us=12558 ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
2022-05-19 19:30:29 us=12562 authname = 'SHA1'
2022-05-19 19:30:29 us=12565 prng_hash = 'SHA1'
2022-05-19 19:30:29 us=12568 prng_nonce_secret_len = 16
2022-05-19 19:30:29 us=12571 keysize = 0
2022-05-19 19:30:29 us=12574 engine = DISABLED
2022-05-19 19:30:29 us=12577 replay = ENABLED
2022-05-19 19:30:29 us=12579 mute_replay_warnings = DISABLED
2022-05-19 19:30:29 us=12582 replay_window = 64
2022-05-19 19:30:29 us=12586 replay_time = 15
2022-05-19 19:30:29 us=12588 packet_id_file = '[UNDEF]'
2022-05-19 19:30:29 us=12591 test_crypto = DISABLED
2022-05-19 19:30:29 us=12594 tls_server = DISABLED
2022-05-19 19:30:29 us=12597 tls_client = ENABLED
2022-05-19 19:30:29 us=12600 ca_file = '[INLINE]'
2022-05-19 19:30:29 us=12603 ca_path = '[UNDEF]'
2022-05-19 19:30:29 us=12606 dh_file = '[UNDEF]'
2022-05-19 19:30:29 us=12609 cert_file = '[UNDEF]'
2022-05-19 19:30:29 us=12612 extra_certs_file = '[UNDEF]'
2022-05-19 19:30:29 us=12615 priv_key_file = '[UNDEF]'
2022-05-19 19:30:29 us=12618 pkcs12_file = '[UNDEF]'
2022-05-19 19:30:29 us=12621 cipher_list = '[UNDEF]'
2022-05-19 19:30:29 us=12624 cipher_list_tls13 = '[UNDEF]'
2022-05-19 19:30:29 us=12627 tls_cert_profile = '[UNDEF]'
2022-05-19 19:30:29 us=12630 tls_verify = '[UNDEF]'
2022-05-19 19:30:29 us=12633 tls_export_cert = '[UNDEF]'
2022-05-19 19:30:29 us=12636 verify_x509_type = 0
2022-05-19 19:30:29 us=12639 verify_x509_name = '[UNDEF]'
2022-05-19 19:30:29 us=12642 crl_file = '[UNDEF]'
2022-05-19 19:30:29 us=12645 ns_cert_type = 0
2022-05-19 19:30:29 us=12648 remote_cert_ku = 0
2022-05-19 19:30:29 us=12651 remote_cert_ku = 0
2022-05-19 19:30:29 us=12654 remote_cert_ku = 0
2022-05-19 19:30:29 us=12657 remote_cert_ku = 0
2022-05-19 19:30:29 us=12660 remote_cert_ku = 0
2022-05-19 19:30:29 us=12663 remote_cert_ku = 0
2022-05-19 19:30:29 us=12666 remote_cert_ku = 0
2022-05-19 19:30:29 us=12668 remote_cert_ku = 0
2022-05-19 19:30:29 us=12671 remote_cert_ku = 0
2022-05-19 19:30:29 us=12674 remote_cert_ku = 0
2022-05-19 19:30:29 us=12677 remote_cert_ku[i] = 0
2022-05-19 19:30:29 us=12680 remote_cert_ku[i] = 0
2022-05-19 19:30:29 us=12682 remote_cert_ku[i] = 0
2022-05-19 19:30:29 us=12685 remote_cert_ku[i] = 0
2022-05-19 19:30:29 us=12688 remote_cert_ku[i] = 0
2022-05-19 19:30:29 us=12691 remote_cert_ku[i] = 0
2022-05-19 19:30:29 us=12694 remote_cert_eku = '[UNDEF]'
2022-05-19 19:30:29 us=12697 ssl_flags = 0
2022-05-19 19:30:29 us=12700 tls_timeout = 2
2022-05-19 19:30:29 us=12703 renegotiate_bytes = -1
2022-05-19 19:30:29 us=12706 renegotiate_packets = 0
2022-05-19 19:30:29 us=12709 renegotiate_seconds = 0
2022-05-19 19:30:29 us=12712 handshake_window = 60
2022-05-19 19:30:29 us=12715 transition_window = 3600
2022-05-19 19:30:29 us=12718 single_session = DISABLED
2022-05-19 19:30:29 us=12721 push_peer_info = DISABLED
2022-05-19 19:30:29 us=12724 tls_exit = DISABLED
2022-05-19 19:30:29 us=12727 tls_crypt_v2_metadata = '[UNDEF]'
2022-05-19 19:30:29 us=12731 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12734 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12737 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12740 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12743 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12746 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12749 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12751 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12754 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12758 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12761 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12764 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12767 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12770 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12773 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12776 pkcs11_protected_authentication = DISABLED
2022-05-19 19:30:29 us=12779 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12782 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12785 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12788 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12791 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12794 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12797 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12800 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12802 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12805 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12808 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12811 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12814 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12817 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12820 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12823 pkcs11_private_mode = 00000000
2022-05-19 19:30:29 us=12826 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12829 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12832 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12835 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12838 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12841 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12844 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12846 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12849 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12852 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12855 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12858 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12861 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12864 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12867 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12870 pkcs11_cert_private = DISABLED
2022-05-19 19:30:29 us=12873 pkcs11_pin_cache_period = -1
2022-05-19 19:30:29 us=12876 pkcs11_id = '[UNDEF]'
2022-05-19 19:30:29 us=12880 pkcs11_id_management = DISABLED
2022-05-19 19:30:29 us=12884 server_network = 0.0.0.0
2022-05-19 19:30:29 us=12887 server_netmask = 0.0.0.0
2022-05-19 19:30:29 us=12895 server_network_ipv6 = ::
2022-05-19 19:30:29 us=12898 server_netbits_ipv6 = 0
2022-05-19 19:30:29 us=12901 server_bridge_ip = 0.0.0.0
2022-05-19 19:30:29 us=12903 server_bridge_netmask = 0.0.0.0
2022-05-19 19:30:29 us=12906 server_bridge_pool_start = 0.0.0.0
2022-05-19 19:30:29 us=12910 server_bridge_pool_end = 0.0.0.0
2022-05-19 19:30:29 us=12913 ifconfig_pool_defined = DISABLED
2022-05-19 19:30:29 us=12916 ifconfig_pool_start = 0.0.0.0
2022-05-19 19:30:29 us=12919 ifconfig_pool_end = 0.0.0.0
2022-05-19 19:30:29 us=12923 ifconfig_pool_netmask = 0.0.0.0
2022-05-19 19:30:29 us=12926 ifconfig_pool_persist_filename = '[UNDEF]'
2022-05-19 19:30:29 us=12929 ifconfig_pool_persist_refresh_freq = 600
2022-05-19 19:30:29 us=12932 ifconfig_ipv6_pool_defined = DISABLED
2022-05-19 19:30:29 us=12935 ifconfig_ipv6_pool_base = ::
2022-05-19 19:30:29 us=12938 ifconfig_ipv6_pool_netbits = 0
2022-05-19 19:30:29 us=12941 n_bcast_buf = 256
2022-05-19 19:30:29 us=12944 tcp_queue_limit = 64
2022-05-19 19:30:29 us=12947 real_hash_size = 256
2022-05-19 19:30:29 us=12951 virtual_hash_size = 256
2022-05-19 19:30:29 us=12954 client_connect_script = '[UNDEF]'
2022-05-19 19:30:29 us=12957 learn_address_script = '[UNDEF]'
2022-05-19 19:30:29 us=12960 client_disconnect_script = '[UNDEF]'
2022-05-19 19:30:29 us=12963 client_config_dir = '[UNDEF]'
2022-05-19 19:30:29 us=12966 ccd_exclusive = DISABLED
2022-05-19 19:30:29 us=12969 tmp_dir = '/tmp'
2022-05-19 19:30:29 us=12972 push_ifconfig_defined = DISABLED
2022-05-19 19:30:29 us=12974 push_ifconfig_local = 0.0.0.0
2022-05-19 19:30:29 us=12978 push_ifconfig_remote_netmask = 0.0.0.0
2022-05-19 19:30:29 us=12981 push_ifconfig_ipv6_defined = DISABLED
2022-05-19 19:30:29 us=12984 push_ifconfig_ipv6_local = ::/0
2022-05-19 19:30:29 us=12987 push_ifconfig_ipv6_remote = ::
2022-05-19 19:30:29 us=12990 enable_c2c = DISABLED
2022-05-19 19:30:29 us=12993 duplicate_cn = DISABLED
2022-05-19 19:30:29 us=12997 cf_max = 0
2022-05-19 19:30:29 us=12999 cf_per = 0
2022-05-19 19:30:29 us=13002 max_clients = 1024
2022-05-19 19:30:29 us=13005 max_routes_per_client = 256
2022-05-19 19:30:29 us=13008 auth_user_pass_verify_script = '[UNDEF]'
2022-05-19 19:30:29 us=13011 auth_user_pass_verify_script_via_file = DISABLED
2022-05-19 19:30:29 us=13014 auth_token_generate = DISABLED
2022-05-19 19:30:29 us=13017 auth_token_lifetime = 0
2022-05-19 19:30:29 us=13020 auth_token_secret_file = '[UNDEF]'
2022-05-19 19:30:29 us=13023 port_share_host = '[UNDEF]'
2022-05-19 19:30:29 us=13026 port_share_port = '[UNDEF]'
2022-05-19 19:30:29 us=13029 vlan_tagging = DISABLED
2022-05-19 19:30:29 us=13032 vlan_accept = all
2022-05-19 19:30:29 us=13035 vlan_pvid = 1
2022-05-19 19:30:29 us=13038 client = ENABLED
2022-05-19 19:30:29 us=13042 pull = ENABLED
2022-05-19 19:30:29 us=13045 auth_user_pass_file = '/etc/openvpn/creds'
2022-05-19 19:30:29 us=13049 OpenVPN 2.5.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
2022-05-19 19:30:29 us=13055 library versions: OpenSSL 1.1.1n FIPS 15 Mar 2022, LZO 2.10
2022-05-19 19:30:29 us=13157 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2022-05-19 19:30:29 us=13161 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-05-19 19:30:29 us=13488 LZO compression initializing
2022-05-19 19:30:29 us=13531 Control Channel MTU parms [ L:1654 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2022-05-19 19:30:29 us=384055 Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
2022-05-19 19:30:29 us=384141 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2022-05-19 19:30:29 us=384155 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2022-05-19 19:30:29 us=384173 TCP/UDP: Preserving recently used remote address: [AF_INET]remote_address_1:2294
2022-05-19 19:30:29 us=384224 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-05-19 19:30:29 us=384239 UDP link local: (not bound)
2022-05-19 19:30:29 us=384250 UDP link remote: [AF_INET]remote_address_1:2294
2022-05-19 19:30:29 us=392404 TLS: Initial packet from [AF_INET]remote_address_1:2294, sid=0d0d157d 566215d2
2022-05-19 19:30:29 us=408679 VERIFY OK: %CA_DATA%, name=EasyRSA, emailAddress=%email%
2022-05-19 19:30:29 us=408994 VERIFY OK: %CA_DATA% CN=server, name=EasyRSA, emailAddress=%email%
2022-05-19 19:30:30 us=375806 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-05-19 19:30:30 us=375899 [server] Peer Connection Initiated with [AF_INET]remote_address_1:2294
2022-05-19 19:30:31 us=586402 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2022-05-19 19:30:31 us=597927 PUSH: Received control message: 'PUSH_REPLY,route 10.10.1.0 255.255.255.0,route 10.10.4.0 255.255.252.0,route 10.10.8.0 255.255.252.0,route 10.10.12.0 255.255.255.0,dhcp-option DNS 10.10.1.13,dhcp-option DOMAIN mydomain.lan,route 10.1.6.1,topology net30,ping 10,ping-restart 600,ifconfig 10.1.6.14 10.1.6.13,peer-id 4,cipher AES-256-GCM'
2022-05-19 19:30:31 us=598118 OPTIONS IMPORT: timers and/or timeouts modified
2022-05-19 19:30:31 us=598135 OPTIONS IMPORT: --ifconfig/up options modified
2022-05-19 19:30:31 us=598147 OPTIONS IMPORT: route options modified
2022-05-19 19:30:31 us=598158 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-05-19 19:30:31 us=598169 OPTIONS IMPORT: peer-id set
2022-05-19 19:30:31 us=598180 OPTIONS IMPORT: adjusting link_mtu to 1657
2022-05-19 19:30:31 us=598190 OPTIONS IMPORT: data channel crypto options modified
2022-05-19 19:30:31 us=598204 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-05-19 19:30:31 us=598228 Data Channel MTU parms [ L:1585 D:1450 EF:53 EB:411 ET:32 EL:3 ]
2022-05-19 19:30:31 us=598374 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-05-19 19:30:31 us=598393 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-05-19 19:30:31 us=598427 net_route_v4_best_gw query: dst 0.0.0.0
2022-05-19 19:30:31 us=598603 net_route_v4_best_gw result: via 192.168.0.1 dev wlp0s20f3
2022-05-19 19:30:31 us=598677 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlp0s20f3 HWADDR=08:6a:c5:4a:d3:0a
2022-05-19 19:30:31 us=600404 TUN/TAP device tun0 opened
2022-05-19 19:30:31 us=600444 do_ifconfig, ipv4=1, ipv6=0
2022-05-19 19:30:31 us=600499 net_iface_mtu_set: mtu 1500 for tun0
2022-05-19 19:30:31 us=600572 net_iface_up: set tun0 up
2022-05-19 19:30:31 us=602187 net_addr_ptp_v4_add: 10.1.6.14 peer 10.1.6.13 dev tun0
2022-05-19 19:30:31 us=604602 /etc/openvpn/scripts/update-systemd-resolved tun0 1500 1585 10.1.6.14 10.1.6.13 init
<14>May 19 19:30:31 update-systemd-resolved: Link 'tun0' coming up
<14>May 19 19:30:31 update-systemd-resolved: Adding IPv4 DNS Server 10.10.1.13
<14>May 19 19:30:31 update-systemd-resolved: Setting DNS Domain mydomain.lan
<14>May 19 19:30:31 update-systemd-resolved: SetLinkDNS(124 1 2 4 10 10 1 13)
<14>May 19 19:30:31 update-systemd-resolved: SetLinkDomains(124 1 mydomain.lan false)
2022-05-19 19:30:31 us=626677 ROUTE remote_host is NOT LOCAL
2022-05-19 19:30:31 us=626742 net_route_v4_add: remote_address_1/32 via 192.168.0.1 dev [NULL] table 0 metric -1
2022-05-19 19:30:31 us=626928 net_route_v4_del: 0.0.0.0/0 via 192.168.0.1 dev [NULL] table 0 metric -1
2022-05-19 19:30:31 us=628156 net_route_v4_add: 0.0.0.0/0 via 10.1.6.13 dev [NULL] table 0 metric -1
2022-05-19 19:30:31 us=628218 net_route_v4_add: 10.10.1.0/24 via 10.1.6.13 dev [NULL] table 0 metric -1
2022-05-19 19:30:31 us=628280 net_route_v4_add: 10.10.4.0/22 via 10.1.6.13 dev [NULL] table 0 metric -1
2022-05-19 19:30:31 us=628318 net_route_v4_add: 10.10.8.0/22 via 10.1.6.13 dev [NULL] table 0 metric -1
2022-05-19 19:30:31 us=628403 net_route_v4_add: 10.10.12.0/24 via 10.1.6.13 dev [NULL] table 0 metric -1
2022-05-19 19:30:31 us=628445 net_route_v4_add: 10.1.6.1/32 via 10.1.6.13 dev [NULL] table 0 metric -1
2022-05-19 19:30:31 us=628492 Initialization Sequence Completed

#### Hanged at around 20:48, I stopped it manually

^C2022-05-19 20:51:56 us=164456 event_wait : Interrupted system call (code=4)
2022-05-19 20:51:56 us=164750 TCP/UDP: Closing socket
2022-05-19 20:51:56 us=164814 net_route_v4_del: 10.10.1.0/24 via 10.1.6.13 dev [NULL] table 0 metric -1
2022-05-19 20:51:56 us=166305 net_route_v4_del: 10.10.4.0/22 via 10.1.6.13 dev [NULL] table 0 metric -1
2022-05-19 20:51:56 us=167199 net_route_v4_del: 10.10.8.0/22 via 10.1.6.13 dev [NULL] table 0 metric -1
2022-05-19 20:51:56 us=168271 net_route_v4_del: 10.10.12.0/24 via 10.1.6.13 dev [NULL] table 0 metric -1
2022-05-19 20:51:56 us=169438 net_route_v4_del: 10.1.6.1/32 via 10.1.6.13 dev [NULL] table 0 metric -1
2022-05-19 20:51:56 us=170637 net_route_v4_del: remote_address_1/32 via 192.168.0.1 dev [NULL] table 0 metric -1
2022-05-19 20:51:56 us=172391 net_route_v4_del: 0.0.0.0/0 via 10.1.6.13 dev [NULL] table 0 metric -1
2022-05-19 20:51:56 us=175115 net_route_v4_add: 0.0.0.0/0 via 192.168.0.1 dev [NULL] table 0 metric -1
2022-05-19 20:51:56 us=178010 Closing TUN/TAP interface
2022-05-19 20:51:56 us=178108 net_addr_ptp_v4_del: 10.1.6.14 dev tun0
2022-05-19 20:51:56 us=194054 /etc/openvpn/scripts/update-systemd-resolved tun0 1500 1585 10.1.6.14 10.1.6.13 init
Device "tun0" does not exist.
<11>May 19 20:51:56 update-systemd-resolved: Invalid device name: 'tun0'. Usage: update-systemd-resolved up|down device_name.
2022-05-19 20:51:56 us=218339 WARNING: Failed running command (--up/--down): external program exited with error status: 1
2022-05-19 20:51:56 us=218489 Exiting due to fatal error

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: openvpn endpoint hangs

Post by TinCanTech » Thu May 19, 2022 6:23 pm

iow-sre wrote:
Thu May 19, 2022 6:02 pm
when the freeze happens client have no logs even with "--verb 4" setting
OpenVPN always produces a log if you configure it to do so.

Also, your log does not show the error, all it shows is Control-C exit.

Your networking is obviously too complex for you to manage,
if you need professional assistance then I am available for hire.

Post Reply